| | |
Summary: The Limits of Global Scanning Worm Detectors
in the Presence of Background Noise
David W. Richardson, Steven D. Gribble, and Edward D. Lazowska
Department of Computer Science & Engineering, University of Washington
{daverich,gribble,lazowska}@cs.washington.edu
ABSTRACT
Internet worms cause billions of dollars in damage each year.
To combat them, researchers have been exploring global
worm detection systems to spot a new random scanning
worm outbreak quickly. These systems passively listen for
worm probes on unused IP addresses, looking for anomalous
increases in probe traffic to distinguish the emergence of a
new worm from background Internet noise.
In this paper, we use analytic modeling, simulation, and
measurement to understand how background noise impacts
the detection ability of global scanning worm detectors. We
investigate the relationship between the average background
noise level, the number of IP addresses monitored, and the
detection latency for two classes of global scanning worm de-
tectors: scan packet-based and victims-based schemes. Our
|
